JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.19101
Added to the Dr.Web virus database:
2015-01-28
Virus description added:
2015-01-28
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'StrongholdMuliplayer' = '<SYSTEM32>\SteamConfig\StrongholdMuliplayer.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UserInit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\SteamConfig\StrongholdMuliplayer.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '1yQCGfURLdaxTrxt' = '%APPDATA%\<Virus name>.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Svchost' = '<Full path to virus>'
Creates the following files on removable media:
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\Sys.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
Creates and executes the following:
'<SYSTEM32>\SteamConfig\StrongholdMuliplayer.exe'
Executes the following:
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 139 blah enable subnet
'<SYSTEM32>\netsh.exe' firewall add portopening UDP 138 blah enable subnet
'%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe'
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 445 blah enable subnet
'<SYSTEM32>\netsh.exe' firewall add portopening UDP 137 blah enable subnet
'<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
'<SYSTEM32>\netsh.exe' Firewall set service REMOTEDESKTOP
'<SYSTEM32>\netsh.exe' Firewall set opmod disable
Injects code into
the following system processes:
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Modifies settings of Windows Explorer:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoFolderOptions' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
Modifies file system :
Creates the following files:
C:\autorun.inf
<SYSTEM32>\SteamConfig\StrongholdMuliplayer.exe
%APPDATA%\<Virus name>.exe
C:\Sys.exe
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\Sys.exe
<Drive name for removable media>:\autorun.inf
<SYSTEM32>\SteamConfig\StrongholdMuliplayer.exe
C:\autorun.inf
%APPDATA%\<Virus name>.exe
<Full path to virus>
C:\Sys.exe
Miscellaneous:
Searches for the following windows:
ClassName: 'Indicator' WindowName: ''
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK